⚠️ Overview

SharpStage is a lightweight .NET-based downloader and stage loader first publicly documented by researchers at Cisco Talos in January 2021, attributed to the China-nexus threat actor tracked as APT41 (also known as Winnti or Barium). It belongs to the category of initial access and payload delivery tools, designed to retrieve and execute second-stage malware from a remote command-and-control server.

🔧 Technical Capabilities

SharpStage is written in C# and compiled as a .NET executable, leveraging the System.Net.WebClient class to download encrypted payloads from attacker-controlled URLs. It uses AES-256 or XOR obfuscation to decrypt the downloaded binary before executing it in-memory via Assembly.Load, bypassing traditional file-disk scanning. Persistence is achieved by writing itself to the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a random mutex name such as Global{{GUID}} to avoid re-infection. The malware communicates over HTTP with specific User-Agent strings mimicking legitimate browser agents like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. It incorporates environmental keying to check for sandbox indicators (e.g., low disk space, missing user profiles) before executing its main logic.

📜 History & Notable Incidents

SharpStage was first observed in late 2020 during Operation North Star, a campaign targeting defense contractors in the United States, Europe, and Taiwan, as reported by Mandiant (now part of Google Cloud) in March 2021. The malware was used as a primary downloader to deploy Cobalt Strike beacons and QuasarRAT variants. No specific CVEs are directly associated with SharpStage itself; instead, it leverages legitimate tools like SharpSploit for post-exploitation actions. Law enforcement action has not been publicly taken against the operators, but CrowdStrike and FireEye have published detailed reverse-engineering reports.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from Talos, 2021). Behavioral indicators include outbound HTTP GET requests to IPs in China (e.g., 45.33.32.156) with base64-encoded cookies, and creation of the registry key HKCU...RunUpdater. The mutex name Global{{2245E9B0-8E5C-4A1B-9E7F-4C2A3B1D6F8A}} has been observed in multiple samples. YARA rules targeting the .NET resource section containing the decryption routine are available from the Unit42 and Malpedia databases.

☠️ Risk & Impact

SharpStage functions primarily as a gateway for more destructive payloads, leading to data exfiltration, intellectual property theft, and long-term network persistence. Affected sectors include aerospace, defense, telecommunications, and technology organizations, particularly those involved in semiconductor research and military supply chains. Financial losses are indirect but can amount to millions due to stolen trade secrets and remediation costs.

🛡️ Mitigation

Defenders should enable Windows Defender Application Control (WDAC) to block unsigned .NET executables and implement network segmentation with egress filtering to known Chinese IP ranges. Detection rules such as Sigma event ID 4688 for spawned powershell.exe processes and Sysmon Event ID 3 for suspicious HTTP connections can be deployed. Regular patching of Microsoft Office vulnerabilities (e.g., CVE-2017-0199) used in initial phishing campaigns is recommended. The MITRE ATT&CK mapping includes T1105 (Ingress Tool Transfer) and T1059.001 (PowerShell).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.